Setting up Authentication for Cloud Portal using Cloud Identity – V
This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.
| Setting up Authentication for Cloud Portal using Cloud Identity |
|
Part 1 – Setting up SCI as IdP for a vendor facing Cloud Portal Part 2 – Using Social Identity Providers to access Cloud Portal Part 3 – Setup Self-registration form Part 4 – Manage Cloud Portal Catalogs and roles |
In the previous blog, we saw how to create roles and assign them manually to users within the Cloud Portal.In real world scenario, it is unlikely that we would be adding each user to these custom HCP roles. Assume, if there are 1000’s of users and managing this assignment within the Cloud Portal configuration section would become cumbersome. In this blog, I am going to show how we can map users to groups and manage this more efficiently.
Creation of Groups in HCP Cockpit
When dealing with large user volumes, it is recommended to have groups to manage the user access. Navigate to the “Authorization” menu of the HCP cockpit and create two groups – Employee & Manager. Assign the respective HCP roles as shown below.
Creation of Groups in Cloud Identity
Login to SCI as an administrator click on “User Groups” tile
Navigate back to the “User Management” tile and edit the Employee User to assign this user to the newly created SCI User Group.
In the next blog, we shall see how to setup and use Two-Factor Authentication (2FA) in SCI to access the Cloud Portal.
Thank you for blog, I was wanting to do this for a long time and your blog helped me close this quickly.
Hi Parag, Thanks for your feedback.
Currently this is the best blog I read on SCI!
Very good job @Murali Shanmugham!!!
Thank you very much for this precious information.
Thanks for the feedback 🙂
Very good post. Just one comment. I have tested a similar scenario with a user assigned to two different groups. I have mapped the SCP groups to the SCI user groups using regular expression and it works fine.
The is a curious detail. Although the SAML Assetion Attribute is called “groups” this is quite misleading. I have called the User API to display the values of the assertion attributes for the current user. Strangely, the field "groups" comes with only one group key although in SCI it has assigned two user groups. I expected this field to return the groups delimitted by a comma or something of that sort.
Hi Juan,
Thanks. Can you please provide the details of the user API which you are using. If I try to query the SCI user details using https://<Cloud_Identity_Tenant>/service/scim/Users/<USER_ID> this shows me the list of all groups assigned to a particular user.
Hi Murali,
I was using the User API "/services/userapi" in SCP (not in Cloud Identity) mentioned in this blog.
That API only returns one group in the "groups" SAML Assertion attribute
Hi,
Did you try setting the "multiValuesAsArrays" URL parameter to true. If it doesn't help, I would suggest you raise a question in the forum.
Thanks,